Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.

Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.

7.
Introduction
“Your Personal Data is Worth Pretty Penny, But it All Depends On Who
Wants it” TrendMicro
Average for personal Data Between 0$-1200$
If you want to know how much your Personal Data Worth Check this
Website :
http://www.ft.com/cms/s/2/927ca86e-d29b-11e2-88ed00144feab7de.html#axzz2ukFAZIUF

9.
Why Database Security Is Important
• Database is the most important Data Banking :
• Financial Data
• Client/Customer Data
• Corporate/organization Data.
• If the database stop working the company will lose money.
• If the database is getting hacked, imagine what happened to the
company.

10.
Why Database Security Is Important
• Ensure the data is confidential, and prevent any outsourcing
modification.
• Secure database provide an additional benefit which is data
management become more efficient and effective.
• Access to database should be only restricted to authorized people
only unless one thing it’s Public Database.
• Secure Database leads to monitor activity and knows
authorized people.

13.
How Database are Hacked ?
• As Database Administrator you need to know Threats that can effect
on your database.
• Definition of threats : context of computer security, refers to anything
that has the potential to cause serious harm to a computer system. A
threat is something that may or may not happen, but has the
potential to cause serious damage. Threats can lead to attacks on
computer systems, networks and more.
• Vulnerability: Existence of a weakness design or implementation
error that Existence of a weakness, design, or implementation error
that can lead to an unexpected and undesirable event compromising
the security of the system

14.
Elements Of Security
• Confidentiality :
• The concealment of information or resources.
• Authenticity
• The identification and assurance of the origin of information.
• Integrity
• The trustworthiness of data or resources in terms of preventing improper and
unauthorized changes.
• Availability
• The ability to use the desired information or resource

16.
What The Hacker Do ?
• Gather Information
• Active : Directly Such as social engineering
• Passive : Google search, Social media
• Scanning :
• use some tools for scan vulnerabilities of the system.
• Gaining Access:
• Penetration Phase, continue attacking to explore deeper into the target network.
• Maintaining Access
• Downloading Phase
• Clearing Tracks
“The more the hacker learns about your internal operations means the more likely he will be
intrude and exploit. So be Secure.”

17.
Attack Oracle-Database Server
• Database servers are usually hacked to get the critical information
• Mistakes made by the web designers can reveal the databases of the
server to the hacker
• Finding an Oracle database server on network is done using TCP port
scan
• Once Oracle Database Server has been discovered, First Port of call is
TNS Listener.

18.
Top Threats Effect on Database Server
• Unused Privileges:• When user are Granted Database access Privileges that exceed requirement
of their job these Privileges can lead to major issue if the user was know what
he is doing.
•
•
•
•
•
•
•
•
REVOKE CREATE DATABASE LINK FROM connect;
REVOKE EXECUTE ON utl_tcp FROM public;
REVOKE EXECUTE ON utl_smtp FROM public;
REVOKE EXECUTE ON utl_http FROM public;
REVOKE EXECUTE ON utl_mail FROM public;
REVOKE EXECUTE ON utl_inaddr FROM public;
REVOKE EXECUTE ON utl_file FROM public;
REVOKE EXECUTE ON dbms_java FROm public;

19.
Top Threats Effect on Database Server
• http://support.oracle.com
• Review database user privileges
• Note 1020286.6 - Script to Create View to Show All User Privs
Note 1050267.6 - SCRIPT: Script to show table privileges for users and roles
Note 1020176.6 - SCRIPT: Script to Generate object privilege GRANTS
• Revoke privileges from PUBLIC where not necessary
• Note 247093.1 - Be Cautious When Revoking Privileges Granted to PUBLIC
Note 234551.1 - PUBLIC Is it a User, a Role, a User Group, a Privilege ?
Note 390225.1 - Execute Privileges Are Reset For Public After Applying Patchset

22.
Top Threats Effect on Database Server
• Denial of service (DoS) :• Common DoS techniques include buffer overflows, data corruption, network
flooding, and resource consumption.
• It is an attack through which a person can render a system unusable or
significantly slow it down for system unusable, or significantly slow it down
for legitimate users, by overloading its resources.
• Attackers may:
• Attempt to flood a network, thereby preventing legitimate network traffic.
• Attempt to disrupt connections between two machines thereby Attempt to disrupt
connections between two machines, thereby preventing access to a service.
• Attempt to prevent a particular individual from accessing a service.
• Attempt to disrupt service to a specific system or person.

25.
Top Threats Effect on Database Server
• SQL Injection
• type of security exploit in which the attacker "injects" Structured Query
Language (SQL) code through a web form input box to gain Structured Query
Language (SQL) code through a web form input box, to gain access to
resources, or make changes to data
• Programmer use sequential commands with user inputs making it easier for
attackers to inject commands.
• Attacker can do SQL Commands through web application.
• For Example when a user logs onto a web page by using a user name and
password for validation a SQL query is user name and password for validation,
a SQL query is used.
• What I Need  Any Web Browser.

27.
Top Threats Effect on Database Server
If you get this error, then the website is vulnerable to an SQL injection
attack

28.
Top Threats Effect on Database Server
• But Wait How Can I Test SQL Injection !!!
• Different Way, Different Tools
• Easy Way to use Single Quote in the input
• Examples :
• • blah’ or 1=1—
• Login:blah’ or 1=1—
• • Password:blah’ or 1=1—
http:// www.mywebsite.com /index.asp?id=10
Will be like this
http:// www.mywebsite.com/index.asp?id=blah’ or 1=1--

29.
Top Threats Effect on Database Server
• Another examples for single quote usage in SQL Injection :
• ‘ or 1=1—
• “ or 1=1—
• ‘ or ‘a’=‘a
• “ or “a”=“a
• ‘) or (‘a’=‘a)
• The hacker breaks into the system by injecting malformed SQL into the query
because the executed query is formed by the concatenation of a fixed string and
values entered by the user:
• string strQry = "SELECT Count(*) FROM Users WHERE UserName='" + txtUser.Text + "' AND
Password='" + txtPassword.Text + "'";

30.
Top Threats Effect on Database Server
• If the user enter valid username and password the query strQry will be changed
Like this :
SELECT Count(*) FROM Users WHERE UserName='Paul' AND Password='password‘
• But The Hacker will not leave weak code Alone and he will enter :' Or 1=1 –
• The New Query Will be
SELECT Count(*) FROM Users WHERE UserName='' Or 1=1 --' AND Password=''
• 1=1 is always true for every row in the table, so assuming there is at least one row
in the table this SQL always return nonzero count of records.

34.
Top Threats Effect on Database Server
• Whether database auditing is enabled or disabled, Oracle will always audit
certain database actions into the OS audit trail. There is no way to change this
behavior because it is a formal requirement of the security evaluation criteria.
Documents Every DBA Should Read
•
•
•
•
•
NOTE:174340.1 - Audit SYS User Operations (How to Audit SYSDBA)
NOTE:553225.1 - How To Set the AUDIT_SYSLOG_LEVEL Parameter?
NOTE:1299033.1- Master Note For Oracle Database Auditing
Note 174340.1 - Audit SYS User Operations
note 1171314.1 Huge/Large/Excessive Number Of Audit Records Are Being Generated In The
Database
• Note 1509723.1 - Oracle Database Auditing Performance

35.
Top Threats Effect on Database Server
• Malware
• is software designed to infiltrate or damage a computer system without the
owner's informed consent The expression is a general term used by computer
professionals to mean a variety of forms of hostile, intrusive, or annoying
software or program code.
Report From Verizon Data:“69% breaches incorporated malware”
http://www.wired.com/images_blogs/threatlevel/2012/03/Verizon-DataBreach-Report-2012.pdf

36.
Top Threats Effect on Database Server
• Malware includes computer viruses, worms, trojan horses, spyware, adware,
most rootkits, and other malicious programs. In law, malware is sometimes
known as a computer contaminant, in various legal codes.

38.
Top Threats Effect on Database Server
• Storage/Backup Media Exposure
• When data is saved to tape, you want to be confident that data will be
accessible decades from now, as well as tomorrow.
• Backup database storage media is often completely unprotected from attack.
As a result, several high profile security breaches have involved theft of
database backup tapes and hard disks.
• Always Remember Company Data Means Money to another Person.

39.
Top Threats Effect on Database Server
• Unpatched Database
• Oracle Provide Something Called Critical Patch Updates.
• Critical Patch Updates are collections of security fixes for Oracle products.
• They are released on the Tuesday closest to the 17th day of January, April, July and
October. The next four dates are:
•
•
•
•
•
17th day of January.
15 April 2014
15 July 2014
14 October 2014
20 January 2015
http://www.oracle.com/technetwork/topics/security/alerts-086861.html

41.
Top Threats Effect on Database Server
• Another Thing should be follow and Monitored which is :
• Security Alerts
• Oracle will issue Security Alerts for vulnerability fixes deemed too critical to wait for distribution in the next Critical Patch
Update

42.
Top Threats Effect on Database Server
• Unsecure Sensitive Data:• Who has access to company data ?
• Dose the company meet requirement ?
• What Will make the Hacker Rich ?
• What Could damage the reputation of the organization ?

43.
Top Threats Effect on Database Server
• Limited Education/Trained end users:• Humans are the weakest link in the information security.
• The errors committed by the human elements of an organization remain a major
contributor to data loss incidents worldwide.
• What do we want to accomplish by making users aware of security?
•
•
•
•
Encourage safe usage habits and discourage unsafe behavior
Change user perceptions of information security
Inform users about how to recognize and react to potential threats
Educate users about information security techniques they can use

44.
Top Threats Effect on Database Server
• Challenges:•
•
•
•
Delivering a desired message to the end-user.
Motivating users to take a personal interest in information security.
Giving end user security awareness a higher priority within organizations.
No Budget in the company for Security Awareness.